Monthly Archives: June 2014

Android 4.4 is PATCHED but earlier versions still vulnerable

IBM researchers have discovered a critical security vulnerability in Android 4.3 (Jelly Bean) and below which could allow attackers to exfiltrate sensitive information – credentials, private keys – from vulnerable devices. The vulnerability is found in Android’s secure storage service KeyStore, and can be misused to cause a stack-based buffer overflow, which would then allow malicious code to be executed under the keystore process. The vulnerability was discovered last September, and immediately disclosed to the Android Security Team. A patch for the flaw was included in the new Android version (4.4 – KitKat) a few months later. <more>

PayPal’s Two-Factor authentication bypass vulnerability

PayPal was one of the first large online services providers to offer two-factor authentication to its users, but until recently the company’s implementation had a loophole that could have allowed attackers to bypass this additional protection. Two-factor authentication (2FA) systems prevent hackers from misusing stolen user names and passwords by requiring an additional randomly generated security code during the authentication process. Depending on implementation, the secret codes can be generated using a special mobile application, can be received via text message or can be generated by a physical hardware device. According to researchers from 2FA provider Duo Security, the PayPal “Security Key” feature — which is what the payment service provider calls its two-factor authentication system — could have easily been bypassed until Monday through the company’s mobile apps and API (application programming interface). <more>

Microsoft fixes DoS flaw in its Malware Protection Engine

The Microsoft Malware Protection Engine that is integrated into several Microsoft anti-malware products, including Microsoft Security Essentials, was updated on Tuesday to address a vulnerability that could enable a denial-of-service (DoS). Microsoft Forefront Client Security, Microsoft Forefront Endpoint Protection 2010, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center 2012 Endpoint Protection, Microsoft Malicious Software Removal Tool, and Windows Intune Endpoint Protection, as well as various versions of Window Defender, are among the affected software. Microsoft has deemed the vulnerability to be “important”, meaning it could be exploited to compromise user data or processing resources, but not without user action, according to a Microsoft advisory posted on Tuesday. <more>

Android and iOS both have security risks

When it comes to enterprise security, most often the platform used behind the company’s network is rarely a compelling argument, a report from a security company shows. From a regular user’s standpoint, iOS offers more security thanks to Apple’s controlled app distribution and limitations imposed to the operating system. On the other hand, Android users have more resources to pull the apps from, hence they’re exposed to a higher security. If the user downloads the resources from reputable places, the danger is greatly mitigated. However, a threat report around the BYOD (Bring Your Own Device) theme, released by Marble Security, shows that in an enterprise environment, neither operating system “is inherently more secure than the other.” The report explains that despite Apple’s tight app distribution control, a non-jailbroken iOS device can still download software from enterprise app market places, through various testing apps and programs. <more>

Microsoft massive Patch Tuesday for June

Microsoft has released updates for critical flaws in Word, Office, and Internet Explorer, along with firmware updates for its Surface 2 tablet line. Microsoft said that the June edition of Patch Tuesday would address a total of 66 common vulnerabilities and exposures (CVE)–class vulns, most of them in Internet Explorer. In total, the IE bulletin addresses 59 flaws, an unusually large patch load considering Microsoft’s monthly update cycle. The update, which applies to all versions of Internet Explorer 8 through 11, includes fixes for remote code execution and elevation of privilege flaws in the browser. The company said that two of the flaws have already been publicly disclosed, and that the update should be considered a top priority for testing and deployment. The second critical bulletin will address a flaw in the Microsoft Graphics Component which could potentially allow remote code execution by way of a specially crafted webpage or file. The flaw is present in all currently supported versions of Windows, Office, and Lync. <more>

Mozilla addresses seven flaws in Firefox 30

The Mozilla Firefox 30 browser does not include major new features, yet it does provide users with security fixes and some incremental updates. Released on June 10, Firefox 30 improves on the Firefox 29 browser, which debuted April 29 with the biggest user interface update for the open-source browser in years. Firefox 30.0 includes seven security advisories attached to the open-source browser release. As is common in nearly every Firefox release, one of the security advisories is identified as fixing “miscellaneous memory safety hazards.”  In the case of Firefox 30, only two memory hazards, CVE-2014-1533 and CVE-2014-1534, are patched. Firefox isn’t the only Web browser that has to face the challenge of memory-related security vulnerabilities. <more>

Six more bugs found in OpenSSL

The OpenSSL team released a security update that fixes 6 vulnerabilities, two of which could be considered critical. The first one is an SSL/TLS MITM vulnerability (CVE-2014-0224). “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” it has been explained. “The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.” <more>

Apache releases Tomcat patches

Apache recently patched Tomcat, fixing a trio of information disclosure bugs and a denial of service bug in the open source web server and servlet container. The denial of service bug, discovered in February by David Jorm of the Red Hat Security Response Team, could have allowed an attacker to create a malformed chunk size as part of a chunked request that would’ve allowed an unlimited amount of data to be streamed to the server. This would have bypassed the size limits enforced on a request and triggered a denial of service condition. <more>